一:使用FreeIPA安装Kerberos和LDAP( IPA-Client安装)

68 阅读 0 评论 45 点赞

我是靠谱客的博主风中山水，最近开发中收集的这篇文章主要介绍一:使用FreeIPA安装Kerberos和LDAP( IPA-Client安装)，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

需要先改好ip 域名关系
192.168.100.01 hadoop01.gyb.bigdata.demo.com hadoop01
192.168.100.02 hadoop02.gyb.bigdata.demo.com hadoop02
192.168.100.03 hadoop03.gyb.bigdata.demo.com hadoop03
192.168.100.04 hadoop04.gyb.bigdata.demo.com hadoop04
#具体为

vim /etc/hosts

IPA-Client安装

先同步配置文件

sh /home/go2rsync.sh /etc/krb5.conf

ipa-client安装(所有要安装client的机器上执行)

ipa-client-install --domain=GYB.BIGDATA.DEMO.COM --server=hadoop01.gyb.bigdata.demo.com --realm=GYB.BIGDATA.DEMO.COM --principal=admin@GYB.BIGDATA.DEMO.COM --enable-dns-updates

具体内容如下：
[root@hadoop02 ~]# ipa-client-install --domain=GYB.BIGDATA.DEMO.COM --server=hadoop01.gyb.bigdata.demo.com --realm=GYB.BIGDATA.DEMO.COM --principal=admin@GYB.BIGDATA.DEMO.COM --enable-dns-updates
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: hadoop02.gyb.bigdata.demo.com
Realm: GYB.BIGDATA.DEMO.COM
DNS Domain: gyb.bigdata.demo.com
IPA Server: hadoop01.gyb.bigdata.demo.com
BaseDN: dc=gyb,dc=bigdata,dc=demo,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC…
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for admin@GYB.BIGDATA.DEMO.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=GYB.BIGDATA.DEMO.COM
Issuer: CN=Certificate Authority,O=GYB.BIGDATA.DEMO.COM
Valid From: 2021-11-02 02:58:23
Valid Until: 2041-11-02 02:58:23

Enrolled in IPA realm GYB.BIGDATA.DEMO.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm GYB.BIGDATA.DEMO.COM
trying https://hadoop01.gyb.bigdata.demo.com/ipa/json
[try 1]: Forwarding ‘schema’ to json server ‘https://hadoop01.gyb.bigdata.demo.com/ipa/json’
trying https://hadoop01.gyb.bigdata.demo.com/ipa/session/json
[try 1]: Forwarding ‘ping’ to json server ‘https://hadoop01.gyb.bigdata.demo.com/ipa/session/json’
[try 1]: Forwarding ‘ca_is_enabled’ to json server ‘https://hadoop01.gyb.bigdata.demo.com/ipa/session/json’
Systemwide CA database updated.
Hostname (hadoop02.gyb.bigdata.demo.com) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host hadoop02.gyb.bigdata.demo.com: 192.168.100.28.
Missing reverse record(s) for address(es): 192.168.100.28.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding ‘host_mod’ to json server ‘https://hadoop01.gyb.bigdata.demo.com/ipa/session/json’
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring gyb.bigdata.demo.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful